1
00:00:00,460 --> 00:00:07,680
And the last video we talked about network profiling and other method of profiling is server profiling

2
00:00:08,400 --> 00:00:14,760
server profiling information consists of things like what ports the servers is listening I'm logged

3
00:00:14,760 --> 00:00:20,900
in users running processes and tasks as well as applications.

4
00:00:21,090 --> 00:00:27,570
By tracking this type of information a contextual view of network hosts would be available for Incident

5
00:00:27,570 --> 00:00:32,500
Response investigations and anomaly detection.

6
00:00:32,520 --> 00:00:38,460
Let's hop in the lab and we'll go through how to identify this profiling information on Microsoft and

7
00:00:38,550 --> 00:00:40,440
Linux servers.

8
00:00:40,440 --> 00:00:44,500
All right so here I am on a Microsoft Windows Server.

9
00:00:44,520 --> 00:00:52,810
First I'll show you the listening ports on the server so if you go to Star and then either search for

10
00:00:52,810 --> 00:00:59,690
a command prompt or just pick it from the shortcuts here.

11
00:00:59,740 --> 00:01:03,670
OK so the command we're going to run is not stat.

12
00:01:03,820 --> 00:01:05,820
And then we'll do Dash 8.

13
00:01:07,180 --> 00:01:12,520
So before I hit enter here I know there is going to be a long list of listening ports.

14
00:01:12,550 --> 00:01:18,610
So I'm going to first increase my buffer size for my window so that I can scroll all the way to the

15
00:01:18,610 --> 00:01:19,970
top so you can see everything.

16
00:01:19,970 --> 00:01:23,430
So right click on the window go to properties.

17
00:01:23,830 --> 00:01:24,490
Lay out

18
00:01:32,640 --> 00:01:33,640
and then hit enter.

19
00:01:35,910 --> 00:01:43,250
And I should be able to go back to the top So here you can see all the listening ports we have port

20
00:01:43,280 --> 00:01:51,120
80 for TTP 88 for Kerberos 8:57 for Al Dabb and so on.

21
00:01:51,860 --> 00:01:53,050
Skeer all map.

22
00:01:53,390 --> 00:01:58,090
So as you can see it's a really easy way just to understand what parts are being listened on on your

23
00:01:58,090 --> 00:01:59,850
servers.

24
00:01:59,950 --> 00:02:06,310
So a good thing to do for any server environment would be to have some documentation on what ports are

25
00:02:06,340 --> 00:02:12,550
being listened time on each of your servers and and make sure to block any ports that you don't want

26
00:02:12,550 --> 00:02:16,350
the server to be listening on in the Windows firewall.

27
00:02:19,470 --> 00:02:25,470
OK so next we can actually find with the rest of the profiling information we were looking for by simply

28
00:02:25,470 --> 00:02:27,390
going to the task manager.

29
00:02:28,020 --> 00:02:32,820
So I'll just go blow the taskbar here right click somewhere and then click.

30
00:02:32,820 --> 00:02:35,330
Task Manager.

31
00:02:35,420 --> 00:02:45,880
So as you can see here we have our applications that are running on the server processes services as

32
00:02:45,880 --> 00:02:49,560
well as the logged in users.

33
00:02:49,570 --> 00:02:59,340
So this shows that there is an administrator user logged in which is me via an RTP session so that does

34
00:02:59,340 --> 00:03:00,200
it for Windows.

35
00:03:00,210 --> 00:03:06,190
But now let's jump over to a Linux server to find the same information.

36
00:03:06,190 --> 00:03:11,670
All right so here I am on my Linux server I'm going to go to the terminal and we'll start off by looking

37
00:03:11,670 --> 00:03:13,670
for listening ports.

38
00:03:13,860 --> 00:03:21,370
You can actually use the stack command just like we did in Windows except there are some different options.

39
00:03:21,600 --> 00:03:32,220
So I'm going to add the listening ports and the flags for UDP as well.

40
00:03:32,260 --> 00:03:42,830
TCAP and it looks like the only listening port on the server is UDP 68 for DHP to identify users logged

41
00:03:42,830 --> 00:03:47,230
into a Linux machine you can run the w command.

42
00:03:47,370 --> 00:03:54,360
And as I expected the only user logged in to this Linux box as myself as the root user

43
00:03:58,700 --> 00:04:06,330
next to see the running processes on a Linux server you can run the command top.

44
00:04:06,460 --> 00:04:17,410
And as you can see you can see the process ID information users tied to each process as well as CPQ

45
00:04:17,500 --> 00:04:25,690
and memory usage and then to check all the running applications on the server I can use the command

46
00:04:25,690 --> 00:04:27,010
P.S. dash

47
00:04:30,390 --> 00:04:35,050
and there I have my documentation on my applications running on the system.